Loft Management Roles
Management roles in Loft are just that, roles that can be applied to users or teams that govern
that user or teams permissions with respect to the Loft instance itself. Management Roles are
actually ClusterRoleTemplate
objects, which in turn are just a thin wrapper around normal
Kubernetes ClusterRole
objects. The ClusterRoleTemplate
object is then deployed as a
ClusterRole
to each connected cluster in the Loft deployment.
Users can create additional Management Roles, or use one of the many default roles that exist. Some examples of default roles are as follows:
Cluster Admin
: a role that gives a user/team full admin privileges over connected clusters.App Viewer
: a role that allows a user/team to view all Apps (but not edit them).
In many Loft deployments you can get away with using the pre-defined Management Roles, but you are always free to create more of your own if needed.
If you don't see any Management Roles present in your Loft installation, they have either been
deleted, or, more likely, your Loft instance was deployed with the DISABLE_DEFAULT
environment
variable set which causes Loft to not install default objects, including the Management Roles.
Create Management Role
Management Roles can be created in the Loft UI.
- In the Loft UI, select the Users field on the left-most menu bar.
- From the User Management pane, click Management Roles button.
- Click the button.
- In the drawer that appears from the right, give your Management Role a name by replacing the 'my-role' placeholder name, or by updating the manifest YAML 'metadata.name' field.
- On the Rules tab, the RBAC Rules section contains settings relating to the permissions that this role should grant. The rules here follow standard Kubernetes RBAC configuration, please see the Kubernetes [documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for more details.
- On the Rules tab, the Aggregation section allows users to include rules from other ClusterRoles into this role, by matching the additional ClusterRoles by label. This is a nice way to aggregate multiple smaller roles into a single role that can then be applied to users/teams.
- Access allows you to define which users and teams have access to modify the role you are currently creating.
- Click on the button.
Apply Management Role
Management Roles are not very useful if they are not applied to a user or team. Applying a Management Role can be done via the Loft UI.
- User
- Team
- In the Loft UI, select the Users field on the left-most menu bar.
- From the User Management pane, click Users button.
- Find the user you would like to apply a Management Role to from the list of users. Click the drop down arrow next to your desired user, and click theEdit button in the drop down menu.
- In the drawer that appears from the right, select the Advanced Options configuration tab.
- Click in the Cluster Roles For User box, find the role you would like to apply to the user and select it. You can add as many roles ad you would like from this section.
- Click the button.
- In the Loft UI, select the Users field on the left-most menu bar.
- From the User Management pane, click Teams button.
- Find the team you would like to apply a Management Role to from the list of teams. Click the drop down arrow next to your desired team, and click theEdit button in the drop down menu.
- In the drawer that appears from the right, select the Advanced Options configuration tab.
- Click in the Cluster Roles For Team box, find the role you would like to apply to the team and select it. You can add as many roles ad you would like from this section.
- Click the button.